FIX: Correctly handle invalid auth cookies (#16995)

Previously it would blow up on invalid utf byte sequences. This was a source of spec flakiness.
2025-05-25 00:32:52 +08:00 · 2022-06-07 13:00:25 +02:00
parent 98671445a7
commit 1a5dbbf430
2 changed files with 7 additions and 4 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -77,8 +77,9 @@ class Auth::DefaultCurrentUserProvider
  ]
  def self.find_v0_auth_cookie(request)
-    cookie = request.cookies[TOKEN_COOKIE].presence
+    cookie = request.cookies[TOKEN_COOKIE]
-    if cookie && cookie.size == TOKEN_SIZE
+
    if cookie&.valid_encoding? && cookie.present? && cookie.size == TOKEN_SIZE
      cookie
    end
  end
@ -88,8 +89,10 @@ class Auth::DefaultCurrentUserProvider
    env[DECRYPTED_AUTH_COOKIE] = begin
      request = ActionDispatch::Request.new(env)
      cookie = request.cookies[TOKEN_COOKIE]
      # don't even initialize a cookie jar if we don't have a cookie at all
-      if request.cookies[TOKEN_COOKIE].present?
+      if cookie&.valid_encoding? && cookie.present?
        request.cookie_jar.encrypted[TOKEN_COOKIE]&.with_indifferent_access
      end
    end
--- a/spec/lib/middleware/anonymous_cache_spec.rb
+++ b/spec/lib/middleware/anonymous_cache_spec.rb
@ -29,6 +29,7 @@ describe Middleware::AnonymousCache do
      it "is true if it has an invalid auth cookie" do
        cookie = create_auth_cookie(token: SecureRandom.hex, issued_at: 5.minutes.ago)
        cookie = swap_2_different_characters(cookie)
        cookie.prepend("%a0%a1") # an invalid byte sequence
        expect(new_helper("HTTP_COOKIE" => "jack=1; _t=#{cookie}; jill=2").cacheable?).to eq(true)
      end
@ -376,5 +377,4 @@ describe Middleware::AnonymousCache do
      expect(@status).to eq(403)
    end
  end
 end